Trojans pose serious risks for any personal and sensitive information stored on compromised Android devices, the FBI warns. But experts say any mobile device is potentially at risk because the real problem is malicious applications - which in an open environment are impossible to control. And anywhere malicious apps are around, so is the potential for financial fraud.
The alert from the Internet Crime Complaint Center, a unit of the FBI, addresses two new Android Trojans known as Loozfon and FinFisher.
Recent attacks showed Loozfon has the ability to steal a mobile user's phone number as well as contact details. In one type of Loozfon attack, unsuspecting consumers were lured in by advertisements promoting fraudulent work-at-home opportunities.
The alert does not specify how those ads were promoted - through e-mail, SMS/text or both. But the FBI warns that links within the ads lead to websites designed to push Loozfon to users' device.
FinFisher, on the other hand, is spyware that targets Android smart phones, hijacking specific components that enable hackers to remotely control and monitor a compromised device, regardless of its location. The spyware is transmitted to a smart phone by clicking infected web links or by opening SMS messages sent directly to the mobile user, usually falsely appearing to provide links to system updates, the FBI states.
Bad Rap for Android?
Jason Malo, a research director at CEB TowerGroup who focuses on financial fraud and mobile, says the Android operating system is not the cause of the problem.
"It's the openness of the app marketplace that allows malware to run rampant," Malo says, not the Android OS itself.
"This is one of the first consumer-focused, security-oriented lists for mobile I've seen," Malo says. "That's a good thing, but it also is a pretty definite signal that security is becoming a problem."
Until the mobile industry can figure out a way to better control or vet readily available apps, mobile malware concerns will mount, Malo contends. "I'm not saying there should only be one store, but there does need to be some sort of reputational measure, akin to what SSL [secure socket layer] site certificates can help provide."
Link to Financial Fraud
George Tubin, a malware and financial security expert at anti-malware vendor Trusteer, says the FBI's warning is alarming because these types of attacks can easily lead to incidents of financial account takeover.
"What I think may happen, and what may have already happened and triggered the FBI to issue this alert, is that login credentials, such as username and password, for online banking access could be stolen," Tubin says. "When a hacker gets access to a mobile device and is able to take it over, he can get all of the information that is on that device."
So mobile users who access online accounts through mobile browsers, or those who save online-banking credentials somewhere on their devices, are at obvious risk, he says. Additionally, any online purchase that is made through an e-commerce site on a compromised device also could expose credit and debit details, including three-digit security codes required for card-not-present transactions, he adds.
"There also could be vulnerabilities for P2P [peer-to-peer] payments," Tubin says. Anytime a transaction is routed through a mobile device that has been infected, it's safe to assume the hackers who infected that device are monitoring everything the user does, he adds.
"We've heard about mobile malware concerns for a while, and the vulnerabilities inherent to Android because of its openness," he says. "But the alerts we are now seeing coming out from the FBI are highlighting some very different attack vectors. We have to take these threats seriously."
Exploited Security Features
In its list of privacy concerns, the FBI notes that the activation of geo-location features, which some institutions have relied on to help authenticate mobile users and transactions, can be exploited for fraudsters' gain.
The FBI alert does not link geo-location features with increased concerns for data compromise. But it suggests a compromised mobile device with enabled geo-location features poses physical risks, "raising concerns of assisting a possible stalker and/or burglaries."
Tubin says out-of-band authentication on mobile devices also can increase the risk of fraud.
"If a mobile phone is hacked, those SMSes that include one-time passcodes for online transaction approval can be redirected to criminals," he says. If the online account of that mobile user has already been compromised, then the hacker has just bypassed the out-of-band authentication measure.
Securing Mobile Devices
While the FBI alert notes security and privacy concerns specific to Android, it recommends 13 security precautions. The list suggests: